PT-2019-14885 · Fusionpbx · Fusionpbx
Pierre Jourdan
·
Published
2019-10-21
·
Updated
2023-02-04
·
CVE-2019-16965
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
FusionPBX versions up to 4.5.7
Description
The issue is related to a command injection vulnerability due to a lack of input validation in the resources/cmd.php file. This allows authenticated administrative attackers to execute any commands on the host as www-data.
Recommendations
For FusionPBX versions up to 4.5.7, update to a version that includes input validation for the resources/cmd.php file to prevent command injection attacks. As a temporary workaround, consider restricting access to the resources/cmd.php file to minimize the risk of exploitation.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fusionpbx